<<

. 2
( 2)



Page 328
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page Next Chapter
13.12 Skipjack


16 bits, which are XORed with the remaining sub-block; then the whole block is cir-
cularly shifted 16 bits to become the input to the next round, or shift. This also
implies 128 bytes of S-box data. I suspect that the S-boxes are key-dependent.
The structure of Skipjack is probably similar to DES. The NSA realizes that their
tamper-proof hardware will be reverse-engineered eventually; they won™t risk any
advanced cryptographic techniques.
The fact that the NSA is planning to use the Skipjack algorithm to encrypt their
Defense Messaging System (DMS) implies that the algorithm is secure. To convince
the skeptics, NIST allowed a panel of “respected experts from outside the govern-
ment . . . access to the confidential details of the algorithm to assess its capabilities
and publicly report its findings” [SlZ].
The preliminary report of these experts [262] (there never was a final report, and
probably never will be) concluded that:
Under an assumption that the cost of processing power is halved every 18
months, it will be 36 years before the difficulty of breaking Skipjack by exhaus-
tive searchwill be equal to the difficulty of breaking DES today. Thus, there is no
significant risk that Skipjack will be broken by exhaustive search in the next
30-40 years.
There is no significant risk that Skipjack can be broken through a shortcut
method of attack, including differential cryptanalysis. There are no weak keys;
there is no complementation property. The experts, not having time to evaluate
the algorithm to any great extent, instead evaluated NSA™s own design and evalu-
ation process.
The strength of Skipjack against a cryptanalytic attack doesnot depend on the
secrecy of the algorithm.
Of course, the panelists did not look at the algorithm long enough to come to any
conclusions themselves. All they could do was to look at the results that the NSA
showed to them.
One unanswered question is whether the Skipjack keyspace is flat (see Section
8.2). Even if Skipjack has no weak keys in the DES sense, some artifact of the key-
scheduling process could make some keys stronger than others. Skipjack could have
2” strong keys, far more than DES; the odds of choosing one of those strong keys at
random would still be about 1 in 1000. Personally, I think the Skipjack keyspace is
flat, but the fact that no one has ever said this publicly is worrisome.
Skipjack is patented, but the patent is being withheld from distribution by a patent
secrecy agreement [ 11221. The patent will only be issued when and if the Skipjack
algorithm is successfully reverse-engineered. This gives the government the best of
both worlds: the protection of a patent and the confidentiality of a trade secret.
Page 329
Prev. Chapter Home Previous Page
Next Page
Prev. page
Next Page Next Chapter

<<

. 2
( 2)